Lately i have been engaged with alot of Assessments, and reporting has been a major factor for the Clients bosses upstairs. So reporting is one thing that techis always hate doing, which i do too, but for the sake of these non-technical folks we need to make sure reports are done and well interpreted to the point they understand it even before a presentation.
Now, the reporting matrix should atleast be on color indexing and good diagrams, even if it means to use some Visio to draw how an attacker would penetrate from the Internal or External attack. Terms like Ease of Exploitation, Potential Impact, Ease of Identification helps the management to know the overall risk of the vulnerability and how to fix it, with its criticality associated.
Sometimes departments involved in fixing the problem or vulnerability tend to overstate the issue or deny its capability so at to drag the whole assessments or not look bad to the management, so the evidence has to be well shown, and illustrated.
The methodology used, and type of tools and timelines are also important aspects. The message has to be clear and to the point.